Legal claims defining the scope of protection, as filed with the USPTO.
1. A packet-filtering appliance comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering appliance to: receive a plurality of packet-filtering rules each indicating one or more packet-matching criteria and one or more actions to be performed, wherein: the packet-filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators, and wherein the plurality of threat indicators comprises a plurality of network addresses, and a first packet-filtering rule, of the plurality of packet-filtering rules, indicates a first directive and is associated with a disposition that is to be determined after an in-transit packet matching first one or more packet-matching criteria of the first packet-filtering rule is received; receive, from a first network and at a first time, a first in-transit packet destined to at least one location in a second network; based on determining that the first in-transit packet matches the first one or more packet-matching criteria of the first packet-filtering rule: determine first threat context information associated with receipt of the first in-transit packet by the packet-filtering appliance; determine, based on the first threat context information, a first disposition; selectively apply, based on the first disposition and to the first in-transit packet, the first directive of the first packet-filtering rule; and apply the first disposition to the first in-transit packet; receive, from the first network and at a second time, a second in-transit packet destined to at least one location in the second network; and based on determining that the second in-transit packet matches the first one or more packet-matching criteria of the first packet-filtering rule: determine second threat context information associated with receipt of the second in-transit packet by the packet-filtering appliance, wherein the second threat context information has at least one value different from the first threat context information; determine, based on the second threat context information and independently from the determining the first disposition, a second disposition different from the first disposition; and selectively apply, based on the second disposition and to the second in-transit packet, the first directive of the first packet-filtering rule; and apply the second disposition to the second in-transit packet.
2. The packet-filtering appliance of claim 1, wherein: the first directive comprises a spoof-tcp-rst directive, the first disposition comprises an allow disposition, and the instructions, when executed by the one or more processors, cause the packet-filtering appliance to prevent, based on the first disposition, application of the first directive to the first in-transit packet.
3. The packet-filtering appliance of claim 2, wherein: the second disposition comprises a block disposition, and the instructions, when executed by the one or more processors, cause the packet-filtering appliance to apply, based on the second disposition, the first directive to the second in-transit packet.
4. The packet-filtering appliance of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering appliance to selectively apply, based on the first disposition, the first directive to the first in-transit packet by: selecting between applying the first directive to the first in-transit packet and preventing application of the first directive to the first in-transit packet, based on whether the first disposition is a block disposition or an allow disposition.
5. The packet-filtering appliance of claim 1, wherein the instructions, when executed by the one or more processors, further cause the packet-filtering appliance to: determine, based on the first disposition, a second directive; and apply the second directive to the first in-transit packet.
6. The packet-filtering appliance of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering appliance to complete applying the first disposition to the first in-transit packet before the packet-filtering appliance applies the second disposition to the second in-transit packet.
7. The packet-filtering appliance of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering appliance to determine the first threat context information based on an observation time of the first in-transit packet.
8. The packet-filtering appliance of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering appliance to determine the first threat context information based on whether the first in-transit packet is a member of an attack that is active at a time that the first in-transit packet is received by the packet-filtering appliance.
9. The packet-filtering appliance of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering appliance to determine the first threat context information based on whether the first in-transit packet is a member of a multi-packet multi-flow attack that is active at a time that the first in-transit packet is received by the packet-filtering appliance.
10. The packet-filtering appliance of claim 1, wherein: the first threat context information comprises a first plurality of elements of information and the second threat context information comprises a second plurality of elements of information; the packet-filtering appliance further comprises an artificial neural network comprising a plurality of input nodes and a plurality of output nodes; the instructions, when executed by the one or more processors, cause the packet-filtering appliance to determine the first disposition, by at least: providing the first plurality of elements of information to at least some of the plurality of input nodes of the artificial neural network; and receiving, via at least one of the plurality of output nodes of the artificial neural network, an indication of the first disposition; the instructions, when executed by the one or more processors, cause the packet-filtering appliance to determine the second disposition, by at least: providing the second plurality of elements of information to at least some of the plurality of input nodes of the artificial neural network; and receiving, via at least one of the plurality of output nodes of the artificial neural network, an indication of the second disposition; and the instructions, when executed by the one or more processors, cause the packet-filtering appliance to: determine, based on the indication of the first disposition from the artificial neural network, whether to implement the first directive for the first in-transit packet; and determine, based on the indication of the second disposition from the artificial neural network, whether to implement the first directive for the second in-transit packet.
11. A non-transitory computer-readable medium storing instructions that, when executed, configure a packet-filtering appliance to: receive a plurality of packet-filtering rules each indicating one or more packet-matching criteria and one or more actions to be performed, wherein: the packet-filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators, and wherein the plurality of threat indicators comprises a plurality of network addresses, and a first packet-filtering rule, of the plurality of packet-filtering rules, indicates a first directive and is associated with a disposition that is to be determined after an in-transit packet matching first one or more packet-matching criteria of the first packet-filtering rule is received; receive, from a first network and at a first time, a first in-transit packet destined to at least one location in a second network; based on determining that the first in-transit packet matches the first one or more packet-matching criteria of the first packet-filtering rule: determine first threat context information associated with receipt of the first in-transit packet by the packet-filtering appliance; determine, based on the first threat context information, a first disposition; selectively apply, based on the first disposition and to the first in-transit packet, the first directive of the first packet-filtering rule; and apply the first disposition to the first in-transit packet; receive, from the first network and at a second time, a second in-transit packet destined to at least one location in the second network; and based on determining that the second in-transit packet matches the first one or more packet-matching criteria of the first packet-filtering rule: determine second threat context information associated with receipt of the second in-transit packet by the packet-filtering appliance, wherein the second threat context information has at least one value different from the first threat context information; determine, based on the second threat context information and independently from the determining the first disposition, a second disposition different from the first disposition; and selectively apply, based on the second disposition and to the second in-transit packet, the first directive of the first packet-filtering rule; and apply the second disposition to the second in-transit packet.
12. The non-transitory computer-readable medium of claim 11, wherein: the first directive comprises a spoof-tcp-rst directive, the first disposition comprises an allow disposition, and the instructions, when executed, configure the packet-filtering appliance to prevent, based on the first disposition, application of the first directive to the first in-transit packet.
13. The non-transitory computer-readable medium of claim 12, wherein: the second disposition comprises a block disposition, and the instructions, when executed, configure the packet-filtering appliance to apply, based on the second disposition, the first directive to the second in-transit packet.
14. The non-transitory computer-readable medium of claim 11, wherein the instructions, when executed, configure the packet-filtering appliance to selectively apply, based on the first disposition, the first directive to the first in-transit packet by: selecting between applying the first directive to the first in-transit packet and preventing application of the first directive to the first in-transit packet, based on whether the first disposition is a block disposition or an allow disposition.
15. The non-transitory computer-readable medium of claim 11, wherein the instructions, when executed, further configure the packet-filtering appliance to: determine, based on the first disposition, a second directive; and apply the second directive to the first in-transit packet.
16. The non-transitory computer-readable medium of claim 11, wherein the instructions, when executed, configure the packet-filtering appliance to initiate applying the first disposition to the first in-transit packet before processing the second in-transit packet.
17. The non-transitory computer-readable medium of claim 11, wherein the instructions, when executed, configure the packet-filtering appliance to complete applying the first disposition to the first in-transit packet before applying the second disposition to the second in-transit packet.
18. The non-transitory computer-readable medium of claim 11, wherein the instructions, when executed, configure the packet-filtering appliance to determine the first threat context information based on whether the first in-transit packet is a member of an attack that is active at a time that the first in-transit packet is received by the packet-filtering appliance.
19. The non-transitory computer-readable medium of claim 11, wherein the instructions, when executed, configure the packet-filtering appliance to determine the first threat context information based on whether the first in-transit packet is a member of a multi-packet multi-flow attack that is active at a time that the first in-transit packet is received by the packet-filtering appliance.
20. The non-transitory computer-readable medium of claim 11, wherein: the first threat context information comprises a first plurality of elements of information and the second threat context information comprises a second plurality of elements of information; the instructions, when executed, configure the packet-filtering appliance to determine the first disposition, by at least: providing the first plurality of elements of information to at least some input nodes of a plurality of input nodes of an artificial neural network; and receiving, via at least one output node of a plurality of output nodes of the artificial neural network, an indication of the first disposition; the instructions, when executed, configure the packet-filtering appliance to determine the second disposition, by at least: providing the second plurality of elements of information to at least some of the plurality of input nodes of the artificial neural network; and receiving, via at least one of the plurality of output nodes of the artificial neural network, an indication of the second disposition; and the instructions, when executed, configure the packet-filtering appliance to: determine, based on the indication of the first disposition from the artificial neural network, whether to implement the first directive for the first in-transit packet; and determine, based on the indication of the second disposition from the artificial neural network, whether to implement the first directive for the second in-transit packet.
21. A method comprising: receiving, by a packet-filtering appliance, a plurality of packet-filtering rules each indicating one or more packet-matching criteria and one or more actions to be performed, wherein: the packet-filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators, and wherein the plurality of threat indicators comprises a plurality of network addresses, and a first packet-filtering rule, of the plurality of packet-filtering rules, indicates a first directive and is associated with a disposition that is to be determined after an in-transit packet matching first one or more packet-matching criteria of the first packet-filtering rule is received; receiving, by the packet-filtering appliance from a first network and at a first time, a first in-transit packet destined to at least one location in a second network; based on determining that the first in-transit packet matches the first one or more packet-matching criteria of the first packet-filtering rule, the packet-filtering appliance performing: determining first threat context information associated with the receiving the first in-transit packet; determining, based on the first threat context information, a first disposition; selectively applying, based on the first disposition and to the first in-transit packet, the first directive of the first packet-filtering rule; and applying the first disposition to the first in-transit packet; receiving, by the packet-filtering appliance from the first network and at a second time, a second in-transit packet destined to at least one location in the second network; and based on determining that the second in-transit packet matches the first one or more packet-matching criteria of the first packet-filtering rule, the packet-filtering appliance performing: determining second threat context information associated with the receiving the second in-transit packet, wherein the second threat context information has at least one value different from the first threat context information; determining, based on the second threat context information and independently from the determining the first disposition, a second disposition different from the first disposition; and selectively applying, based on the second disposition and to the second in-transit packet, the first directive of the first packet-filtering rule; and applying the second disposition to the second in-transit packet.
22. The method of claim 21, wherein the first directive comprises a spoof-tcp-rst directive, the first disposition comprises an allow disposition, and the selectively applying, based on the first disposition, the first directive to the first in-transit packet comprises preventing application of the first directive to the first in-transit packet.
23. The method of claim 22, wherein the second disposition comprises a block disposition, and the selectively applying, based on the second disposition, the first directive to the second in-transit packet comprises applying the first directive to the second in-transit packet.
24. The method of claim 21, wherein the selectively applying, based on the first disposition, the first directive to the first in-transit packet comprises selecting between applying the first directive to the first in-transit packet and preventing application of the first directive to the first in-transit packet, based on whether the first disposition is a block disposition or an allow disposition.
25. The method of claim 21, further comprising: determining, based on the first disposition, a second directive; and applying the second directive to the first in-transit packet.
26. The method of claim 21, wherein the applying the first disposition to the first in-transit packet is completed before the packet-filtering appliance applies the second disposition to the second in-transit packet.
27. The method of claim 21, wherein the determining the first threat context information comprises determining the first threat context information based on an observation time of the first in-transit packet.
28. The method of claim 21, wherein the determining the first threat context information comprises determining the first threat context information based on whether the first in-transit packet is a member of an attack that is active at a time that the first in-transit packet is received by the packet-filtering appliance.
29. The method of claim 21, wherein the determining the first threat context information comprises determining the first threat context information based on whether the first in-transit packet is a member of a multi-packet multi-flow attack that is active at a time that the first in-transit packet is received by the packet-filtering appliance.
30. The method of claim 21, wherein: the first threat context information comprises a first plurality of elements of information and the second threat context information comprises a second plurality of elements of information; the packet-filtering appliance comprises an artificial neural network comprising a plurality of input nodes and a plurality of output nodes; the determining the first disposition comprises: providing the first plurality of elements of information to at least some of the plurality of input nodes of the artificial neural network; and receiving, via at least one of the plurality of output nodes of the artificial neural network, an indication of the first disposition; the determining the second disposition comprises: providing the second plurality of elements of information to at least some of the plurality of input nodes of the artificial neural network; and receiving, via at least one of the plurality of output nodes of the artificial neural network, an indication of the second disposition; and the packet-filtering appliance comprises logic configured to: determine, based on the indication of the first disposition from the artificial neural network, whether to implement the first directive for the first in-transit packet; and determine, based on the indication of the second disposition from the artificial neural network, whether to implement the first directive for the second in-transit packet.
Unknown
February 4, 2025
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.